[prev in list] [next in list] [prev in thread] [next in thread]
List: ipng
Subject: Re: About RFC 6874
From: Brian E Carpenter <brian.e.carpenter () gmail ! com>
Date: 2015-09-08 2:46:48
Message-ID: 55EE4C18.8090903 () gmail ! com
[Download RAW message or body]
On 08/09/2015 13:33, Kerry Lynn wrote:
> On Fri, Aug 21, 2015 at 10:32 AM, Brian Haberman <brian@innovationslab.net>
> wrote:
>
>> Hi all,
>>
>> On 8/17/15 4:10 PM, 神明達哉 wrote:
>>> At Sat, 15 Aug 2015 08:20:29 +1200,
>>> Brian E Carpenter <brian.e.carpenter@gmail.com> wrote:
>>>
>>>> So, reading the latest bugzilla update on this topic, I find
>>>> myself wondering whether RFC 6874 was such a good idea:
>>>>
>>>> https://www.w3.org/Bugs/Public/show_bug.cgi?id=27234#c2
>>>
>>> Among the reasons why they don't like to support it, the arguments
>>> about the applicability and the underlying library issues don't seem
>>> to be very strong or at least do seem to be debatable. But the
>>> requirement for transforming the URI is a real issue on any approach
>>> of this kind (i.e., regardless of which delimiter character is used).
>>> So, if they are not willing to do this transformation even if we can
>>> convince them about the other two points, it's not just RFC6874 was
>>> not a good idea, but it's that there will simply be no chance to
>>> use a literal scoped address with its zone index in any way in
>>> browsers. As I'm not familiar with the w3c community I'm not sure if
>>> we're in that situation, but my impression from the arguments in the
>>> above link is that it's less likely that further discussion can change
>>> their mind. In that case it would be more productive for us to use
>>> our time for something else.
>>
>> We do have a W3C liaison manager who we could work with to see what that
>> community is thinking in this space. Our liaison manager is Mark
>> Nottingham and the IAB liaison shepherd for W3C is Ted Hardie.
>>
>> I note that the W3C TPAC meeting is being held in Sapporo the week before
> IETF 94.
> Do we need to formally request that Mark put this on their agenda for
> discussion?
>
> Regarding this language in RFC 6874, Section 4 "Security Considerations":
>
> An HTTP client, proxy, or other intermediary MUST remove any ZoneID
> attached to an outgoing URI, as it has only local significance at the
> sending host.
>
>
> Is the main concern that ZoneID represents a possible covert channel?
> Is this something we are willing to relax?
As covert channels go, it seems pretty mild and not really covert.
I think I was more concerned about it being used to create bizarre
attacks by persuading a remote system to generate link local packets.
However, it's already embarassing that it formally breaks running code
(CUPS) so my mind is definitely open.
Brian
--------------------------------------------------------------------
IETF IPv6 working group mailing list
ipv6@ietf.org
Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6
--------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic